Now we’ll zip up our function into HelloWorldEncrypted.zip, ready to send to AWS.

zip HelloWorldEncrypted.zip HelloWorldEncrypted.py

zip HelloWorldEncrypted.zip HelloWorldEncrypted.py

Now it’s time to upload our function to AWS and create the associated environment variables. If you’re using a Python editor, then you’ll need to install boto3 locally to keep the editor happy, but you don’t need to include boto3 in the code you send to AWS Lambda – it comes pre-installed.

Now we write the following code to automate the creation of our Lambda function:

The tricky bit for me here was figuring out that I needed to pass the value that I wanted to base 64 encode to the output of the value encrypted by the KMS client. The KMS client relies on a KMS key that we need to set up. We can see a list of all our KMS keys by running the following command:

$ aws kms list-keys

The format of these keys is arn:aws:kms:[zone]:[account-id]:key/[key-id].

The format of these keys is arn:aws:kms:[zone]:[account-id]:key/[key-id].